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Abstract — In this paper, the problem of secret key agreement 
in state-dependent multiple access channels with an eavesdropper 
is studied. For this model, the channel state information is non- 
causally available at the transmitters; furthermore, a legitimate 
receiver observes a degraded version of the channel state in- 
formation. The transmitters can partially cooperate with each 
other using a conferencing link with a limited rate. In addition, 
a backward public channel is assumed between the terminals. 
The problem of secret key sharing consists of two rounds. In 
the first round, the transmitters wish to share a common key 
with the legitimate receiver. Lower and upper bounds on the 
common key capacity are established. In a special case, the 
capacity of the common key is obtained. In the second round, 
the legitimate receiver agrees on two independent private keys 
with the corresponding transmitters using the public channel. 
Inner and outer bounds on the private key capacity region are 
characterized. In a special case, the inner bound coincides with 
the outer bound. We provide some examples to illustrate our 
results. 

Index Terms — Information theoretic security, multiple access 
channel, state-dependent, secret key sharing, common and private 
key capacity region. 



I. Introduction 

Secure communication in a network is possible when legit- 
imate users have access to some secret keys. In [1], Shannon 
demonstrated that the perfect secrecy condition can be satisfied 
if: 

H(K) > H(M), 

where, H{K) and H(M) are the entropies of the message 
and the key, respectively. Secret key generation in a network 
requires the existence of common randomness between users. 
A simple model for common randomness, in the informa- 
tion theory context, is distributed correlated sources. This 
model was first studied by Ahlswede and Csiszar [2], where 
legitimate users utilize two correlated sources as common 
randomness to share a secret key in a noiseless network that 
must be concealed from an eavesdropper. In [3], new bounds 
on the secret key capacity over a multiterminal network with 
public channel were established by Gohari and Anantharam. 
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In their model, there are M legitimate terminals and an 
eavesdropper that have access to correlated sources. Only some 
of the legitimate terminals can transmit over the channel. All 
the legitimate terminals intend to agree on a common key that 
must be kept secret from the eavesdropper. In a noisy channel, 
common randomness can be obtained by implementing the 
channel distribution. This model is useful when illegal users 
have no access to the common randomness or a part of 
it. But if the legitimate users do not have any advantages 
compared to the illegal users, this common randomness is 
not beneficial for secret key sharing any more. Maurer solved 
this problem using a backward public channel in the wiretap 
model [4]. The backward public channel is a noiseless channel 
used by the receivers to transmit messages to the transmitters 
where the messages can be observed by an eavesdropper. In 
[2], Ahlswede and Csiszar showed that a forward noiseless 
channel does not help to solve the problem. In addition to the 
Maurer's solution, the problem can be solved when correlated 
sources are distributed between legitimate users in a noisy 
network. This idea was recently developed by Khisti et al. in 
the wiretap channel where the transmitter and the legitimate 
receiver have access to correlated sources [5]. Salimi and 
Skoglund, in another recent work, investigated the problem 
of secret key agreement over generalized multiple access 
channels using correlated sources [6]. In this channel, each of 
transmitters intends to agree on a private key with a receiver. 
Furthermore, when a forward public channel is available, the 
secret key sharing problem was studied by Salimi et al. [7]. 
In their model, the transmitters intend to share private keys 
over the generalized multiple access channel with the receiver 
using the public channel. The authors established examples 
to show that the forward public channel can improve the 
secret key capacity. In addition, they showed that using the 
forward public channel for key sharing is more effective than 
compress and forward strategy which was proposed in [8]. In 
state-dependent noisy networks, the Channel State Information 
(CSI) can be used as common randomness when illegal users 
have limited access to the CSI. In these networks, the CSI 
may be available causally or non-causally at the legitimate 
users. Khisti et al. studied the problem of secret key agreement 
over 2-receiver broadcast channels with causal or non-causal 
CSI where the transmitter upon observing the CSI generates a 



secret key and sends the required information over the channel 
and the legitimate receiver estimates the secret key [9]-[ll]. 

Cooperation can be effective for common key sharing in a 
network where there are more than one transmitter. Conferenc- 
ing is one of the schemes that can be utilized to provide coop- 
eration. In most cases, a noiseless channel with a limited rate 
is used to establish the conferencing scheme. In [12], Willems 
used the conferencing scheme in a multiple access channel 
where there is an interactive noiseless channel with a limited 
rate between the transmitters. Upon receiving sequences from 
the noiseless channel, each transmitter determines the channel 
input as a function of its message and the observed sequences. 

Main Contributions and Organization 

Consider a multiterminal network with n + 1 users, where 
one of them acts as a Trusted Center (TC) and others act 
as End Nodes (ENs). In addition, there is an illegal user in 
the network which wishes to eavesdrop. In this network, the 
ENs try to establish a confidential connection with the TC. 
Therefore, they first need to agree on some keys with the TC 
to announce themselves as trusted users. For transmitting the 
confidential message, the TC needs to generate n independent 
private keys and share them with each of the ENs. These 
private keys provide an ability of multiplexing in the network. 
The eavesdropper tries to find the keys and attack the 
network. Motivated by the above scenario, we define our 
system model. As Fig. 1 illustrates, we consider a three-user 
network with an eavesdropper, in which two ENs and a TC 
are modeled as two transmitters and a legitimate receiver, 
respectively. The transmitters and the legitimate receiver are 
connected by a State-Dependent Multiple Access Channel 
(SD-MAC) where a conferencing link is available between 
the transmitters. In addition, the eavesdropper observes 
the channel. An insecure backward public channel with an 
unlimited capacity is available between all the terminals. In 
order to achieve a secure connection; at first, the transmitters 
intend to share a common key over the SD-MAC with the 
legitimate receiver using the conferencing scheme. Then, the 
legitimate receiver shares an independent private key with 
each of the transmitters over the public channel. 

In this model, we investigate the problem of secret key 
agreement in two rounds. In the first round, we establish 
the lower and upper bounds on the common key capacity. 
The intuition behind the lower bound comes from the 
superposition coding and random binning. The state is 
utilized to generate the common key by means of the hybrid 
joint source channel coding. In the second round, the inner 
and outer bounds are derived on the private key capacity 
region. The double random binning is used to satisfy the 
secrecy constrains. In this round, the private key capacity is 
obtained for some special cases. Different systems can be 
modeled as the SD-MAC with an eavesdropper. For example, 
we consider a binary memory with stuck at faults in which 
two end nodes utilize this memory to share a common key 
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Fig. 1 . The state-dependent multiple access channel with an eavesdropper. 



with a trusted center where an eavesdropper has access to the 
memory. As another example, we discuss the key agreement 
in the modulo-additive SD-MAC with an eavesdropper. 

The rest of the paper is organized as follows. In Section II, 
the problem definition is described. In Section III, our main 
results and the intuitions behind them are given. In Section 
IV, examples are provided. Finally, proofs are presented in 
Section V. 

II. Problem Definition 

Throughout the paper, we denote a discrete random variable 
with an upper case letter (e.g., X) and its realization by the 
lower case letter (e.g., x). We denote the probability density 
function of X over X with p(x) and the conditional probability 
density function of Y given X by p(y\x). Finally, we use Y n 
to indicate vector (Y 1; Y 2 , . ■ ■ , Y n ). 

A discrete memoryless SD-MAC with an eavesdropper is 
defined by a channel input alphabet X\ x X 2 , a channel state 
alphabet S, a channel output alphabet y, an eavesdropper's 
output alphabet Z and a transition probability function 
p(y,z\xi,X2,s) where Xi,X 2 ,y ',Z and S are finite sets. As 
Fig. 1 illustrates, the transmitters have access to the exact 
CSI while the legitimate receiver has access to the degraded 
version of the CSI non-causally. 

We consider the interactive key agreement in the SD- 
MAC with an eavesdropper where a backward public channel 
with unlimited capacity is available from the receivers to the 
transmitters. We assume that a noiseless channel, with limited 
rate Rc, is available between the encoders which can be 
used for conferencing. The interactive key agreement scheme 
consists of two rounds. In the first round, the transmitters 
generate a common key using conferencing and transmit 
required information for common key sharing to the legitimate 
receiver via the SD-MAC. In the second round, the legitimate 
receiver agrees on a private key with each transmitter using 



the public channel. In the following we clarify the schemes 
with details. 

A. The First Round 

In the first round, as Fig. 1 illustrates, the first transmitter, 
upon observing s n , generates fcoi £ [1 : 2 nR °) as a common 
key and sends the required information to the second trans- 
mitter over the noiseless channel with limited rate Rc- The 
second transmitter generates k 02 £ [1 : 2 nR °), as a function 
of received information and s n , to share with the legitimate 
receiver. Then, the transmitters determine xu and x 2 i for 
i € [1 : n], as deterministic functions of the corresponding 
common keys and s", and transmit and x 2 over the SD- 
MAC with an eavesdropper. The legitimate receiver observes 
the channel output y n and reconstructs the common key 
fco- The sequence z n is received from the SD-MAC by the 
eavesdropper. 

Definition 1: In the first round, a rate i?o is said to be 
achievable if for every e > and sufficiently large n, there 
exists a protocol such that 



Pv{K Q1 ? K 02 } < e 
Pv{U 2 i=1 {K ± K 0i }} < e 

-I(K ;Z n )<e 
n 

-log | K \< -H(K )+e 
n n 

-H(K ) > Ra - e 



(1) 

(2) 

(3) 
(4) 
(5) 



Equation ([TJi investigates conferencing achievement. Equation 
Q is the reliability condition of the common key. Equation ^ 
implies that the eavesdropper has effectively no information 
about the common key. Finally, the set of equations Q and 
<j3j investigate the uniformity conditions. 

Definition 2: The common key capacity is the set of all 
achievable rates R a . 

B. The Second Round 

In the second round, as Fig. 1 illustrates, the legitimate 
receiver, upon observing Y n and T n , determines two inde- 
pendent private keys k\ € [1 : 2 nRl ) and k 2 G [1 : 2 nR/2 ) for 
sharing with the first and second transmitter, respectively. The 
legitimate receiver transmits Vi = ^i(^i) an d ip 2 — "4> 2 {k 2 ) 
over the backward public channel. For i = 1,2, the zth trans- 
mitter estimates its private key fcj. The eavesdropper utilizes 
z n , ipi and ip 2 for eavesdropping. 

Definition 3: In the second round, a rate pair (Ri,R 2 ) is 
an achievable private key rate pairs if for every e > and 
sufficiently large n there exists a protocol such that 



Pi{Ki ? Ki} < e 
-I{K i ;Z n ,^ 2 ) <e 



I(K i ;X? c ,K i e,S n ,ip 1 ,ip 2 )<e 



(6) 
(7) 

(8) 



-log \K t |< -H(Ki)+e 
n n 

-H(Ki) >Ri-e 
n 



(9) 
(10) 



for i — 1, 2, where i c is i's complement, i.e., {i c , i} = {1, 2}. 
Equation |6]) is the reliability conditions. Equations (|7]i and 
<[8j mean that the eavesdropper and each transmitter have 
efficiently no information about the other transmitter's private 
key. Finally, the set of equations Q and ( fT0| ), investigate the 
uniformity conditions. 

Definition 4: The private key capacity region is the set of 
all achievable rate pairs (Ri,R 2 ). 

III. Main Results 

Here, we provide inner and outer bounds on the secret key 
capacity region of the SD-MAC with an eavesdropper, in two 
sub-sections. In sub-section |III-A| we discuss the lower and 
upper bounds on the common key capacity. The inner and 
the outer bounds on the private capacity region are given in 
sub-section IIII-BI 

A. The First Round 

In this sub-section, we present two theorems. Theorem 1 
states a lower bound on the common key capacity. 

Theorem 1 ( Common Key Lower Bound): The common 
key rate R is achievable for the first round if 

Ro<[I(V;Y,T\U)-I(V;Z\U)]+ (11) 

subject to the constraints: 

I{U;Y\T) < I{U;S) (12) 
I(V;Y,T\U) <I(V;S\U) (13) 
R c > H(U, V\S) (14) 

for some input distribution: 

p(s, t, u, v, xx,x 2 ,y, z) = p(s)p(t\s)p(u\s)p(v\u, s) 
p(xi\u, v, s)p(x 2 \u, v, s)p(y, z\xi,x 2 , a), (15) 

where [x] + = max{a;,0}. 

Outline of the Proof: The achievability follows by speci- 
fying the sequence U n as a description of S n . V n is generated 
over U n using the superposition coding. The U n and V n are 
shared between the transmitters by utilizing the conferencing 
link. The random binning is applied to satisfy the secrecy 
constrains. Upon observing T n and Y n , the legitimate receiver 
estimates the common key by means of joint typicality decod- 



ing. The proof is provided in section V-A 



Theorem 2 states an upper bound on the common key 
capacity. 

Theorem 2 ( Common Key Upper Bound): For the common 
key sharing, any rate R must satisfy 



R <I{X 1 ,X 2 ,S;Y,T\Z) 



(16) 



Proof: See Section \V-B\ 

In the following, we establish the common key capacity for 
a special case. 



Corollary 1: If the random variables U, V, Y and Z form 
the Markov chain, (U, V) -t Y — >• Z, i.e., the illegal output 
Z is the degraded version of Y, the common key capacity 
reduces to: 

R <I(V;Y,T\U,Z) (17) 

subject to the constraints: 

I{U-Y\T)<I(U-S) (18) 
I{V;Y,T\U) < I(V;S\U) (19) 
R C >H{U,V\S) (20) 

Proof: See section V-C| 

B. The Second Round 

Now, the bounds on the private key capacity region are 
given. Theorem 3 states an inner bound on the private key 
capacity region. 

Theorem 3 (Private Key Inner Bound): The private key 
rate pair (Ri,R 2 ) is achievable for the second round if 



Ri < [mm{I{T 1 ;X 1 ,S\T)-I(T 1 ;X 2 ,S\T), 
7(T 1 ;X 1 ,S|T)-7(T 1 ;Z)}] + 

Ri < [mm{I(T 2 ;X 2 ,S\T)-I(T 2 ;X u S\T), 
I(T 2 ;X 2 ,S\T)-I(T 2 ;Z)}} + 

subject to the constraints: 

I(T 1 ;X 1 ,S\T)<I(T 1 ;Y\T) 
I(T 2 ;X 2 ,S\T)<I(T 2 ;Y\T) 

for some input distribution: 

p(s,t,tx,t 2 ,xi,x 2 ,y,z) = p(s)p(xi,x 2 \s) 
p(y, z\x 1} x 2 , S)p(t)p{t l \t)p(t 2 \t). 



(21) 
(22) 

(23) 
(24) 

(25) 



Outline of the Proof: In order to achieve the inner bound, 
two conditionally independent sequences T" and T 2 are 
generated with probability distribution p(ti\t)p(t 2 \t). Then, 
we use the double random binning to satisfy the secrecy 



constrains. The proof is given in section V-D 



Theorem 4 states an outer bound on the private key capacity 
region. 

Theorem 4 (Private Key Outer Bound): For the private key 
sharing, any rate pair (Ri,R 2 ) must satisfy: 

Ri < wn.{I{T 1 ;X 1 ,S\Z),I{T 1] X 1 \X 2 ,S)} (26) 
R 2 < mm{I(T 2 ;X 2 ,S\Z),I(T 2 ;X 2 \X u S)} (27) 

This bound can be directly deduced from Theorem 1 in [2]. 
In the following, we obtain the private key capacity region for 
a special case. 

Corollary 2: If the inputs and output of the SD-MAC with 
an eavesdropper form a Markov chain as (Xi,Ti) —> (S,T) 
—> (X 2 ,T 2 ) —> Z, the private key capacity region reduces to: 



subject to the constraints: 

7(T 1 ;Jf 1 ,S|r)<7(Ti;Y|T) 
I(T 2 ;X 2 ,S\T)<I(T 2 ;Y\T) 



(30) 
(31) 



Proof: The achievability follows from Theorem 3 where we 
have: 

Ri > I(Ti;Xi,S\T) - max{7(T i; X 2 , S\T),I(T i; Z)} 

( = } I(T 1 :X 1 ,S\T)-I(T 1 ;X 2 ,S\T) = 7(T i; X 1 \S,T) 
-I(T 1 ;X !i \S,T) = I(T 1 ;X 1 ,X 2 \S i T) 
- J(T i; X 2 \X U S, T) - J(T i; X 2 \S, T) 

i /(Ta ;X 2 \S,T) + I {n ;Xi\X 2 ,S,T) — 7(T X ;X 2 \S, T) 



= I(T 1 ]X 1 \X 2 , S, T) ( = } J(T X ;Xi\X 2 ,S) 



(32) 



R x <I{T l ;X l \S,X 2 ) 
R 2 <I(T 2 ;X 2 \S,X 1 ) 



(28) 
(29) 



where (a), (6) and (c) can be deduced from the Markov chain, 
(X 1 , Ti) S T ->• (X 2 , T 2 ) Z. The proof of converse 
can be obtained from the outer bound of Theorem 4. 

IV. Examples 

Different examples can be established to illustrate our 
proposed model. In this section, we present some examples 
to explain our results. 

A. Binary Memory with Stuck at Faults 

Consider a network where two ENs intend to share a 
common key fco € [1 : 2 nR °) with the TC. In this network, 
a binary memory with stuck at faults is available where 
the eavesdropper has access to this memory. Suppose only 
the ENs have access to the defect information. For the 
key agreement, the ENs utilize the fault pattern to share 
the required information with the TC. The binary memory 
with stuck at faults can be modeled as the state-dependent 
memoryless channel where each of the memory cells sticks at 

with a probability |, likewise, sticks at 1 with a probability 
| and behaves as a noiseless binary channel with a probability 

1 — p [13]. For the described example, the following argument 
shows that a lower bound on the common key capacity is 
Ro < P bits subject to the constraint H(V\S) < 1 — p. 

We propose a protocol for the common key agreement: Fix 
distribution p(v, s) such that H(V\S) < 1 — p. Generate a set 
of 2" binary sequences v n (m v ), m v € [1 : 2") according to a 
Bernoulli distribution with success probability h where there 
are roughly 2™( 1 ~ p ) sequences v n that match any given fault 
pattern. Partition them into 2 nR ° equal size subsets. Choose 
the sequence v n such that v n and s™ are jointly typical respect 
to p(v,s). Set the subset index of chosen v n as the common 
key. By using the above protocol and Theorem 1, we prove 
Ro < P- 

Proof: By setting U = T = in Theorem 1, we have: 

Ro < I{V; Y) - I(V; Z) = H(V\Z) - H{V\Y) 
< H(V) - H(V\Y) = l-(l-p)=p bits 



and for the constraint we have: 

I(V; Y) < I(V;S) H{V\S) < H(V\Y) 
H(V\S) < 1-pbits 

In fact, the ENs utilize the fault pattern for common key 
sharing with the TC. Therefore, the common key rate is 
bounded by error probability p. 

B. The Modulo-Additive SD-MAC 

Consider the binary SD-MAC with channel output 
Y = X 1 © X 2 ® S © N± and eavesdropper's output Z = X 1 
© X 2 © S © N 2 where N x ~ Bern(pi), N 2 ~ Bern(p 2 ), 
< pi < p 2 < | and the channel state S has a Bernoulli 
distribution with success probability p$. In proposed model, 
the transmitters intend to share a common key ko £ [1 : 2 nR °) 
with the legitimate receiver Y using conferencing with limited 
rate Rc- A lower bound on the common key capacity of the 
modulo-additive SD-MAC with eavesdropper is 

Ro < H b ((a * p s ) *pi) + H b (p s *p 2 ) 
- H b ((a * p s ) * p 2 ) - H b (p s * pi) 

subject to the constraint: 

H(V\S) < min{H b (a) + H b (a * Pl ) - H b ((a * p s ) * Pl ),R c 

Proof: In order to prove the lower bound, we set U = T = 
and Xi = X 2 = V ~ Bern(a), using the conferencing link, 
in Theorem 1 such that 

Ro < I(V] Y) - I(V- Z) = H(Y) + H{Z\V) - H(Z) 

- H(Y\V) = H(V © S © Ni) + H(V © S © N 2 \V) 

- H(V ®S®N 2 )- H{V © S © N 2 \V) 

= H(V © 5* © iVi) + H(S © A^ 2 ) - H(V © S © N 2 ) 

- H(S ® N 2 ) = H b {{a * Ps ) * Pl ) 

+ H b (p s *p 2 ) - H b ((a*p s ) *p 2 ) - H b (p s *p\) 

for the constraint we have: 

I(V; Y) < I(V; S) ^ H(Y) - H(Y\V) < H(V) - H{V\S) 
H b ((a *p s )*Pi)- H b {a < H b (a) - H(V\S) 
H{V\S)<H b (a)+H b (a* Pl )-H b ((a*p s )*pi). 

and 

Rc > H(V\S) 

where a * b — a(l — b) + (1 — a)b and H b (x) — —x log(x) — 
(l-x)log(l-ar). 

V. Proofs 

In this section, we present proofs of the main results. In 
order to prove Theorem 1, we employ the superposition coding 
[14] and random binning [15]. The intuition behind the proof 
of Theorem 3 comes from the Slepian & Wolf coding [16] and 
the double random binning. The proofs of the outer bounds 
are similar to [2]. 



A. Proof of Theorem 1 

Fix probability distribution p(xi, u,v\s) for i = 1, 2, 
Codebook Generation: Randomly and independently gen- 
erate 2 nRu sequences U n (m u ), m u € [1 : 2 nRu ) each ac- 
cording to YYi=iP( u i)- The set of all sequences U n is repre- 
sented by C u . For each U n (m u ), randomly and conditionally 
independently generate 2 nRv , sequences V n (m v ), m v E 
[1 : 2 nRv ), each according to n"=iP( Wi l Ui ) an( ^ randomly 
partition them into 2 nRv bins. Consequently, each bin con- 
sists of 2 n ( Rv ~ Rv > sequences V n in average. Codebook C u 
contains of 2 nRu sub-codebooks where sub-codebook m u is 
represented by C v (m u ). 

Encoding: The first encoder, ENC 1, upon observing CSI 
s n chooses a pair (m u ,m v ) such that, 

( S ",u"K),/(m„))e7; ( " ) (S,C/,F). (33) 

If there is no such pair, ENC 1 sets (m u ,m v ) = (1,1). 
If there are more than one pair, ENC 1 randomly chooses 
m u and m v . Then, ENC 1 sends pair (m u ,m v ) over the 
noiseless channel with limited rate Rc. ENC 2 reconstructs 
u n (m u ) and v n (m v ), using the codebook. The reconstruction 
can be done successfully if: 

}R c >m ax {-\og(\\A(U)nC u || x || A(V)nC v (m u ) ||)} 
m„ n 

(34) 

the sets A(U) and A(V) are defined as below: 

A(U) = {u n \3 s n 3 (,u n ,s n ) E T t (n) {S,U)} 

•A(V) — {v n \3 s n ,u n 9 (v n ,u n ,s n ) €T t in) {S,U,V)}. 

where || A(U) n C u \\ and || A(V) n C v (m u ) \\ indicate the 
number of sequences U n in C u and V n in C v (m u ),m u 6 
[1 : 2 nRu ) that are jointly typical with S 1 ™, respectively. It can 
be shown that condition |34| is satisfied by R c > H{U,V\S). 
Simply, we can consider Rc = Ru + Rv- 

ENC j transmits xji — Xji(si,Ui(m u ),Vi(m v )) for i £ 
[1 : n], j = 1, 2 over the SD-MAC. This can be done with an 
arbitrarily small probability of error as n — > oo if: 

Ru>I(U;S) (35) 
R V >I(V;S\U) (36) 

The above conditions can be deduced from the covering lemma 
[17]. 

Remark 1: According to the channel distribution, the output 
distribution p(y) can be written as 

p(y) = ^2 p(y\ x i, x 2)p(xi,x 2 ,s). 

In order to cover the probability space of variables X\, X 2 
and S completely, we must generate the codewords X" and 
X 2 as functions of S n . 

Common Key Generation: The transmitters choose the bin 
index of v n (m v ) as the common key to share with the 
legitimate receiver. 



Decoding: The legitimate decoder, upon observing the chan- 
nel output y n , estimates u n (m u ) such that 

{y n ,t n ,u n {m u ))&T^\Y,T,U) (37) 

and recovers v n {m v ) <G C v (rh u ) such that 

(y n ,t n ,u n (m u ),v n (m v )) e T^ n) (Y,T,U,V). (38) 

If an error occurs, the legitimate decoder sets (m u ,rh v ) = 
(1, 1). By using the packing lemma and mutual packing lemma 
[18], the probability of error tends to zero as n — > oo if: 



Ru <I(U;Y\T) 

Rv <I(V;Y,T\U) 

Ru + Rv< I(U,V;Y\T) 



(39) 
(40) 
(41) 



Secrecy Analysis: In order to check the security condition 
on the common key rate averaged over the random codebook 
assignments C v , we have: 

I(K ; Z n \C v ) < I(K ; Z n , U n \C v ) = H(K \C V ) 
-H(K \Z n ,U n ,C v ) = H(K a \C v ) - H(K ,V n \Z n ,U n ,C v 
+ H(V n \K , Z n , U n ,C V ) = nRv - H(V n \Z n , U n , C v ) 
- H(K \Z n , U n , V r \C v ) + H(V n \K , Z n , U n , C v ) 

= nR v - H(V n \Z n , U n ,C V ) + H(V n \K ,Z n , U n ,C v ) 

(b) 

< nR v - nR v + nI(V; Z\U) + nR v - nR v 
-nI(V;Z\U) +ne = ne (42) 

where (a) follows from the fact that Kq is the bin index of V n 
and the equality H(K \Z n , U n , V n ,C v ) = holds, {b) can 
be deduced from inequalities H(V n \Z n ,U n ,C V ) < nR v - 
nI(V;Z\U) + ne and H(V n \K , Z n , U n , C v ) < nR v - 
nR v -nI(V; Z\U)+ne if R < I(V; Y, T\U)—I{V; Z\U)+e, 
the proof is similar to [18, Lemma 22.3]. 

B. Proof of Theorem 2 

In our described model, the legitimate receiver should be 
able to estimate the common key K correctly, therefore, ac- 
cording to the Fano's inequality we have -H(Ko\Y n , T n ) < e 
and also, the security condition -I(Kq\ Z n ) < e must be 
satisfied. We obtain an upper bound on R , 

nR = H(K ) = I(K ; Z n ) + H(K \Z n ) 

(a) 

< H(K \Z n ) + ne = I(K a ;Y n ,T n \Z n ) 

(b) 

+ H{K a \Y n ,T n ,Z n ) + ne < I(K ; Y n , T n \Z n ) + 2ne 

< I(K ,X?,X r 2 \S n ;Y n ,T n \Z n ) + 2ne 

( =' /(X™, X$, S n ; Y n , T n \Z n ) + 2ne 

n 

< H^u, X 2i, Si; Y^Zi) + 2ne 



where (a) deduces from the security condition, (b) follows 
from the Fano's inequality, (c) can be derived from the Markov 
chain K -> {X?,X$) -> (Y n , Z n ). (d) can be obtained by 
considering Q as a uniform variable over [1 : n). 

C. Proof of Corollary 1 

The achievability follows from Theorem 1 where we have: 

Ro > I(V; Y, T\U) - I(V; Z\U) = I(V; Y, T, Z\U) 

- I(V; Z\U, Y, T) - I(V; Z\U) ( = } I(V; Z\U) 

+ I{V;Y,T\Z,U)-I{V;Z\U)=I(V;Y,T\Z,U) (44) 

where (a) comes from the Markovity. For the converse proof, 
we have: 

ni? = H(K ) = I(K ; Z n ) + H(K \Z n ) 

(a) 

< H(K \Z n ) +ne = I(K ;Y n ,T n \Z n ) 

(b) 

+ H(K \Y n ,T n ,Z n ) + ne < I(K ; Y n , T n \Z n ) + 2ne 

< I(K ,X?,X%,S n ;Y n ,T n \Z n ) + 2ne 

' (c) ™ 

< Y, W>, X?,X%, S n ; ^,7^*, Y£ 1; 7™ +1 ) + 2ne 



{d) 



^ I(K , X™, X%, Sf, Yi, Ti\Zi, Y£_ l ,T™ +1 , S l x ) 



i=l 

n 

+ 2ne ( = 5 Y T (Vi; Yi,Ti\Zi, U t ) + 2ne 

^ nI{V Q ;Y Q ,T Q \Z Q ,U Q ,Q) + 2ne 
= nI(V Q ;Y Q ,T Q \Z Q ,U Q ) + 2ne 



(45) 



i=i 

nI(X 1Q ,X 2 Q,SQ;YQ,TQ\ZQ,Q) + 2ne 
nI{X lQl X 2Q ,S Q ;Y Q ,T Q \Z Q ) + 2ne 



where (a) follows from the security condition I(K Q ;Z n ) < 
ne, (b) comes from the Fano's inequality H (Ko\Y n , T n ) < 
ne. (c) and (d) can be deduced from the Markov 
chains, (K ,X?,X2,S n ) -+ (TP +1 ,YP +1 ) -+ Z? +1 and 
(K ,X?,X$) -> S 1 - 1 Z 1 - 1 , respectively. By defining 
V t = (K ,X?,X2,Si) and U t - (Y£ lt T? +1 , S^ 1 ), (e) is 
obtained. (/) can be established by considering Q as a uniform 
variable over [1 : n]. 

D. Proof of Theorem 3 

Fix probability distribution p(t\,t2,t) = p(t)p(ti\t)p(t2\t) 
Codebook Generation: For i = 1,2, randomly generate 
2 nRT * sequences T™(m ti ), m u e [1 : 2 nR ^) each according 
to Y\ n j=1 p{tij\t) and partition them into 2 nR ' T ^ bins and 2 nR '^ 
sub-bins using the double random binning. Therefore, there are 

2 n(R Ti -R' T .) sequences T n in each bin an( j 2 n{R Ti -R' T -R'i.) 

sequences T™ in each sub-bin in average. C Ti indicates the 
coodebook containing all T™. The bin m' t . and sub-bin mj' 
are represented by B'(m' t .) and B"(m'l), respectively. 

Private Key Generation: For i = 1,2, the legitimate re- 
ceiver, Y, upon observing the channel output y n , chooses 
t?( m u) suc h that 



(43) 



(<?K).i/ n )^ n) (Ti,y) 



(46) 



and sets m" , t™(m ti ) € B"(m"), as private key fcj to share 
with the ith transmitter. This can be done with an arbitrarily 
small probability of error if: 

R Ti >m-Y\T). (47) 

The above conditions can be deduced directly from the cov- 
ering lemma. 

Use of Public Channel: The legitimate receiver, Y, transmits 
m' t . , i" (m t . ) <G B' (m' t . ) for i = 1 , 2 over the backward public 
channel. 

Key Reconstruction: The ith transmitter, upon receiving m' t ., 
estimates m ti such that 

t?{m ti ) e B'(m' t .), (48) 
(x2,s n ,tnm ti ))&T e ^(X i ,S,T i ), (49) 

and finds k { such that tf(m u ) € B"{ki). 

This can be done with an arbitrarily small probability of error 

if: 

- < ^(^i, S; Ti\T) for i = 1,2. (50) 

The above conditions can be deduced directly from the pack- 
ing lemma. 

Secrecy Analysis: In order to check the security condition 
on the private key rate R\ averaged over the random codebook 
assignments C Tl , we have: 

I{K t ; Z n , fa , fa \C Tl ) = H(K 1 \C Tl )- H{K X \ Z n , fa , fa, C Tl 
= H (K x |C Tl ) - # i , Tf |^™,^i,V2, C Tl ) 
+ #(7^ , Z n , fa , fa , C Tl ) = 

- H (7\" | Z" , Vi , ^2 , C Tl ) - | Z n , 7? , Vi >2 , C Tl ) 

+ H(T?\K u Z n , fa,fa,C Tl ) = 

+ , ^" , V'i , ^2 , C Tl ) - H(T?\Z n , fa, fa, C Tl ) 

(b) 

< nR'^ - nR Tl + nR' Ti + nI(T x ;Z) 

+ nR Tl - nR' Ti - nR^ 1 - n/(Ti ; Z) + ne = ne (51) 

where (a) follows from the fact that K\ is the sub-bin index 
of T? and the equality H(K 1 \Z n ,T?,fa,fa,C Tl )=0 
holds. (6) can be obtained from the inequalities 

H(T?\Z n ,fa,fa,C Tl ) < nR Tl - nR' Ti - nI(fa;Z) + ne 
and ^TflijTi.Z",^!,^,^ 1 ) < nR T ^ - nR' Ti - nR'^ - 
nl{T x ;Z) + ne if R 1 < 7(T i; X u S\T) - I{T X ;Z) + e, the 
proof is similar to [18, Lemma 22.3]. And, 

I(K 1 ;K 2 ,X^S n ,fa,fa\C Tl ) 
<I(K 1 ;K 2 ,X^,S n ,T n ,fa,fa\C^) 
= ff(^!|C Tl )- H(K 1 \K 2 ,X^S n ,T n ,fa,fa,C T ') 



= H(K 1 \C T i)-H(K 1 ,T i n \K 2 ,X2,S n ,T n ,fa,fa,C T i) 

+ H{T[ L \Ki, K 2 , X 2 , S n ,T n , ipi,fa,C Tl ) 

= nR^ - H{T?\K 2 , X% ,S n ,T n ,fa,fa, C Tl ) 

- H(K X \K 2 ,X^, S n , T n , T™, Vi, ^2, C Tl ) 

+ (T? | , ^ 2 , X 2 " , 5" , r , V i , V>2 , C Tl ) 

= W nR'^ - H(T?\K 2 , X 2 " , S n , T n , fa , fa , C Tl ) 

+ H (7\" | K x , K 2 , X? , S n , r , V i , V>2 , C Tl ) 

< (b) ni?^ - nR Tl + nR' Tl + nI(T 1 ;X 2 , S\T) 

+ nR Tl - nR' Ti - nR^ i - nI(T 1 ;X 2 , S\T) + ne = ne 

(52) 

where (a) follows from the fact that Ki is the sub-bin index of 
Tf and the equality H(K 1 \K 2 ,X^,S n ,T n ,T{ l ,fa,fa,C Tl ) 
= holds, (b) can be deduced from the inequalities 

H{T?\K 2 ,X2,S n ,T n ,fa,fa,C T i) < nRr.-nR^-nlifa 
;X 2l S\T)+ne and B{T^\K 1 ,K 2 ,X^,S n ,T n ,fa,fa,C T ^) 
< nR Tl - nR' Ti - nR'^ - nI(T 1 ;X 2 ,S\T) + ne if R 1 < 
I(Ti;Xi,S\T) - I{Tx-X 2 , S\T) + e, the proof is similar to 
[18, Lemma 22.3]. Finally, we have: 

R 1 < min{I(T 1 ;X 1 ,S\T) - I(T i; X 2 , S\T), 
Iifa-X^S^-Iifa-Z)} 

Similarly, we can check the security conditions for K 2 . 

VI. Conclusion 

In this paper, we investigated the problem of interactive se- 
cret key sharing over a state-dependent multiple access channel 
with an eavesdropper. In our proposed model, the transmitters 
share a common key with the receiver over multiple access 
channel in the first round. The conferencing scheme has a 
beneficial role in the common key sharing. In the second 
round, the receiver agrees on two independent private keys 
with the corresponding transmitters using the public channel. 
The inner and outer bounds on the capacity region have been 
established for the common and the private keys capacity 
region. 
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